starred/modoboa-modoboa
1
0
Fork 0
mirror of https://github.com/modoboa/modoboa.git synced 2026-04-26 17:36:01 +03:00
Code Issues 60 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #1265] [Security] Insecure permission for Resellers users' domain view. #1024

New issue
Closed
opened 2026-02-27 11:14:48 +03:00 by kerem · 0 comments
kerem commented 2026-02-27 11:14:48 +03:00
Owner
Copy link

Originally created by @pavinjosdev on GitHub (Oct 8, 2017).
Original GitHub issue: https://github.com/modoboa/modoboa/issues/1265

Impacted versions

  • Modoboa: 1.8.1-1.9.0
  • installer used: Yes
  • Webserver: Nginx

Steps to reproduce

  1. Create a domain as admin/Resellers user.
  2. Create a Resellers user
  3. Login as above Resellers user and create a domain
  4. URL of new domain (assuming this is the second domain in this modoboa instance) will be https://hostname.domain.tld/admin/domains/2/
  5. Go to https://hostname.domain.tld/admin/domains/1/ and the first domain (created by another user) will be visible. Similarly for numbers above 2 if there are more domains added by other users.

Current behavior

Changing the domain number in URL will show domains to Resellers user to which he has no permission. Currently this security issue applies to any user with a domain view including Resellers, Domain administrators, etc.

Expected behavior

Changing the domain number in URL should not show domains to Resellers user to which he has no permission. He should be redirected to login.

Video/Screenshot link (optional)

Originally created by @pavinjosdev on GitHub (Oct 8, 2017). Original GitHub issue: https://github.com/modoboa/modoboa/issues/1265 # Impacted versions * Modoboa: 1.8.1-1.9.0 * installer used: Yes * Webserver: Nginx # Steps to reproduce 1. Create a domain as admin/Resellers user. 2. Create a Resellers user 3. Login as above Resellers user and create a domain 4. URL of new domain (assuming this is the second domain in this modoboa instance) will be https://hostname.domain.tld/admin/domains/2/ 5. Go to https://hostname.domain.tld/admin/domains/1/ and the first domain (created by another user) will be visible. Similarly for numbers above 2 if there are more domains added by other users. # Current behavior Changing the domain number in URL will show domains to Resellers user to which he has no permission. Currently this security issue applies to any user with a domain view including Resellers, Domain administrators, etc. # Expected behavior Changing the domain number in URL should not show domains to Resellers user to which he has no permission. He should be redirected to login. # Video/Screenshot link (optional)
kerem 2026-02-27 11:14:48 +03:00
  • closed this issue
  • added the
    bug
         label
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix/sievefilters-allow-email-in-rule-name
dependabot/npm_and_yarn/frontend/axios-1.15.0
translations_04c0b653215cb5fa48ab101eae1a1917_ja_JP
translations_5d93982e9fd6dab991db4faf93ce9ded_ja_JP
fix/login-issue-3995
fix/sievefilters-issues
add-vitepress-openapi
2974-dmarc-empty-email
2.3.x
updated-doc-2.3.0
feature/OIDC
delete-all-alarms
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_af_ZA
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_ar
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_ca
1.x
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_sk
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_tr
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_es_ES
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_uk
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_zh_CN
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_de_DE
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_da_DK
1.8.x
1.7.x
1.6.x
1.4.x
1.3.x
1.2.x
2.8.2
2.8.1
2.8.0
2.7.2
2.7.1
2.7.0
2.6.5
2.6.4
2.6.3
2.6.2
2.6.1
2.6.0
2.5.1
2.5.0
2.4.11
2.4.10
2.4.9
2.4.8
2.4.7
2.4.6
2.4.5
2.4.4
2.4.3
2.4.2
2.4.1
2.4.0
2.3.6
2.3.5
2.3.4
2.3.3
2.3.2
2.3.1
2.3.0
2.3.0-beta.4
2.3.0-beta.3
2.3.0-beta.2
2.3.0-beta.1
2.2.4
2.2.3
2.2.2
2.2.1
2.2.0
2.1.2
2.1.1
2.1.0
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
2.0.0-beta.3
2.0.0-beta.2
2.0.0-beta.1
1.17.0
1.16.1
1.16.0
1.15.0
1.14.0
1.13.1
1.13.0
1.12.2
1.12.1
1.12.0
1.11.1
1.11.0
1.10.7
1.10.6
1.10.5
1.10.4
1.10.3
1.10.2
1.10.1
1.10.0
1.9.1
1.9.0
1.8.3
1.8.2
1.8.1
1.8.0
1.7.4
1.7.3
1.7.2
1.7.1
1.7.0
1.6.3
1.6.2
1.6.1
1.6.0
1.5.3
1.5.2
1.5.1
1.5.0
1.4.5
1.4.4
1.4.3
1.4.2
1.4.1
1.4.0
1.3.5
1.3.4
1.2.2
1.3.3
1.3.2
1.3.1
1.3.0
1.2.1
1.2.0
1.2.0-rc2
1.2.0-rc1
1.1.7
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.1
1.0.0
0.9.5
0.9.4
0.9.3
0.9.2
0.9.1
0.9
0.8.8
0.8.7
0.8.6.1
0.8.6
0.8.5
0.8.4
0.8.3
0.8.3-rc1
0.8.2
0.8.1
0.8
0.8-rc2
0.8-rc1
0.7.2
0.7.1
0.7
0.6.1
0.6
0.5
0.3
0.2
0.1
Labels
Clear labels   
bug

   
bug

   
dependencies

   
design

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
feedback-needed

   
help-needed

   
help-needed

   
installer

   
invalid

   
looking-for-sponsors

   
modoboa-contacts

   
new-ui

   
new-ui

   
pr

   
pull-request

Mirrored from GitHub Pull Request

  
pyconfr

   
python

   
question

   
security

   
stale

   
webmail

   
wontfix
No labels
bug
bug
dependencies
design
documentation
duplicate
enhancement
enhancement
enhancement
feedback-needed
help-needed
help-needed
installer
invalid
looking-for-sponsors
modoboa-contacts
new-ui
new-ui
pr
pull-request
pyconfr
python
question
security
stale
webmail
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/modoboa-modoboa#1024
No description provided.